Use first public IP (don't bypass RemoteAddr automatically)

[henvic]

This isn't affecting me (or I'd send a pull request), but I believe instead of bypassing RemoteAddr if X-Forwarded-For or X-Real-Ip header exists you should test whether RemoteAddr is public. If it is, use this value. This would be the safer (in terms of security) thing to do.

Also, you might want to have a look into https://tools.ietf.org/html/rfc7239 if you decide to support other headers.

[dayuoba]

@henvic hi may you pls give more details about the insecure problem happy to know about this : )